Cloud Security Frame

We organize our scenarios for key problem areas into a frame. We use the scenarios to figure out where customers need more help, and to test how well the guidance, tools, and platform address the problems.

Hot Spots

Auditing

Authentication

Authorization

Code Access Security

Communication

Data Access

Deployment Considerations

Exception Management

Logging

Message and Data Validation

Message Protection

Message Replay Protection

Sensitive Data

Session Mgmt

Troubleshooting and Debugging

Validation

Frame

Hot Spot

Key Decisions

Auditing

P1

* How to audit.

* How to use platform features to log information in the cloud.

* How to avoid storing PKI in log files.

* How to avoid storing sensitive information in log files.

P2

* How to identify the operations and events to be audited.

* How to archive log information.

* How to handle log failures.

* How to retrieve log information from the cloud.

* How to implement a notification system

Authentication

P1

* How to choose authentication strategy for cloud based application.

* How to manage user credentials.

P2

* How to authenticate mobile device users against cloud user store.

* How to use existing user security stores with cloud based application.

* How to using existing user credentials with a cloud based application.

* How deploy and use a user store in the cloud.

* How to map user in local user security store to a STS.

* How to map user attributes to claims.

* How to combine claims associated with identities from separate user stores into new set of claims useful for your application.

* How to manage user accounts securely

* How to build a basic STS

* How to build a basic Identity Provider

Authorization

P1

* How to choose authorization strategy.

* How to integrate with Active Directory.

* How to integrate with my Membership Provider.

P2

* How to combine multiple claims from separate providers into single token.

* How to use claims to isolate authentication and authorization logic in your application.

* How to decide what you can authorize in your security infrastructure and what requires application level action.

* How to decide authorization granularity for your application.

* How to use role store in clouds.

* How to map groups in local directory to roles in the claims.

* How to use roles with claims.

* How to map a Windows login ID to a claims token.

* How to use resources with claims.

* How to authorize users based on claims.

* How to prevent your application from relying on administrative privileges it will not have in the cloud.

Communication

P1

* How to choose between REST, SOAP, or Web/Http.

* How to choose protocol, security and communication-style for communication with your cloud application.

* How to choose between message security and transport security.

P2

* How to handle interruptions in access to cloud applications.

* How to handle asynchronous calls between cloud and non-cloud applications.

* How to interact with non cloud applications that require fixed IP address.

Data Access

P1

* How to choose where to store your connection strings.

* How to encrypt your connection strings.

* If existing data, how to choose whether to move my data to the cloud.

* If starting from scratch, how to choose whether to put my data in the cloud or in a local data center.